Prototypes

Three prototypes were implemented for experimenting with different ways of gathering data and combining sensors in different settings. This section discusses the prototype implementations of the assistant and the lessons learnt. The implementations have been using an architecture similar to the one outlined in Section 2.4, where sensors monitor a pool of rather unstructured log-events.

Since the security debate about untrusted programs recently has focused a lot on applet-security, the initial plan was to develop a security assistant for the Java appletviewer. This idea was abandoned mainly due to problems in getting relevant log-data and the lack of non-trivial applets (from a security perspective). In the latter prototypes ordinary Unix-programs were monitored since they exhibit a more variegated behavior and better monitoring tools are available. Utility-programs, such as find, grep etc have an intuitively straightforward behavior that seemed relevant to monitor. Larger programs such as emacs or Netscape (at least when running its embedded Java-interpreter) can have very complex behaviors. They require more intricate descriptions of their expected behavior. Thus they where not considered in these prototypes.

The sensors implemented were focused on monitoring behavior related to file-accesses. This is because it is the domain that is most structured in today's operating systems and consequently easiest to get audit data from.

Java-prototype

The first prototype was a based on a specialization of the SecurityManager-class which is responsible for implementing access policies for the standard Java libraries. The SecurityManager was modified to produce log-events whenever a resource was asked for. The log-events where immediately forwarded to the sensors, allowing them to throw a SecurityException whenever they found a resource request breaking the current security policy.

In this prototype the sensors were fairly simple. Most sensors kept a per-program count of what properties the applets accessed, e.g how many files the applets attempted to read or how many TCP-connections the applet opened. Some sensors where more complex and could ask the user whether a particular action should be allowed, e.g if a file could be read.

: Screenshot from the Java-prototype monitoring two applets.

Some limitations in the current version of Java (JDK1.0) concerning what audit data can be extracted from the appletviewer could be noted. These are most likely deliberate design decisions to enable Java programs to run on smaller CPU:s, but makes Java less satisfactory for unconstrained experimentation.

A note on Java. First, since memory management is part of the language it is not possible to gather data concerning each applet's memory consumption. Since the garbage collection is automatic, it is not possible to prevent an applet from keeping a reference to an object thus hindering it from being removed. Secondly, it is not possible to place limits on or to measure the applets' CPU-usage, nor to limit or get audit-events when threads are created.

Although the applets reside in different name-spaces, applets can under some circumstances communicate directly with each other [47]. This message-passing is not auditable in the current appletviewer.

The current implementation of the appletviewer also has some drawbacks. The Java security approach is more focused on hard security. If the applet is allowed to create a file, further accesses to it are not auditable from the SecurityManager. Once allowed to open a socket to its source URL the applet will henceforth be allowed to use this connection.

Most applets at the time were not using any auditable system resources and the latter prototypes monitored Unix-programs instead of applets. However, there is now a collection of hostile applets [24] which would be interesting to study. Most of these applets do different kinds of denial-of-service attacks (i.e spewing out large numbers of windows) but also some attacks such as unexpectedly killing other threads or sending mail in your name.

Tcl-prototype

The second prototype was written entirely in Tcl. The objective was to investigate how sensors communicating in a KQML-like way should be constructed and since the sensors should be able to draw on the screen easily.

The Solaris command truss, which prints all system calls that a process executes was used to generate system events. The system events were parsed and routed to subscribing sensors. Other sensors could in turn subscribe to messages from these sensors.

The prototype consists of four components, three sensors and one message router (a.k.a facilitator). The components were placed in separate name-spaces (called interpreters in Tcl-jargon). Since Tcl is single-threaded the messages were passed to a central message queue to ensure that each message would be handled completely before any other message could be invoked on a sensor. The facilitator subscribes to all log-events from a sensor filtering the audit data from truss. The sensors advertise their interest in certain events to the facilitator who then asks the audit data filter to achieve that these events are added to the stream of audit events. The facilitator keeps track of the current subscriptions and routes the messages to the appropriate sensors. The facilitator is quite simple and does not, in this prototype, match the sensors advertising what questions they can answer to the proper recipients.

The sensors were designed to be as independent of each other as possible. The approach was to let them communicate with a speech-act based protocol, posing questions to each other in a content language. KIF is often suggested as a good content language for agents since it makes it easy to formulate queries in a prolog-like manner with partially instantiated terms etc. Instead of KIF, this prototype uses a much simpler language where matching is done using just one regular expression. Instead of using anonymous variables in the terms the bound variables are tagged with their name and sorted according to the tags. This makes it possible to construct a regular expression matching this partially instantiated term.

To free the components from the need of sophisticated query-parsing their message streams are allowed to contain some messages that should not be transmitted. The facilitator is responsible for removing these unnecessary messages and to duplicate messages that were asked for by multiple subscribers. Hence all the messages are routed through the facilitator.

: Early version of the Tcl-prototype. ``visual fingerprint'' of the command find /home1/ara/demo -name *.tcl -exec ls -l {} ;

There is no concept of variables in this simple content language and it is not possible to express that an unbound variable should to be bound to the same value on both sides of the conjunction. This means that more complex queries have to be subdivided into several queries, thereby requiring the query-issuer to maintain information about the query during the querying. This increases the message passing needed among the components.

The efforts to keep the sensors simple and expressed imperatively caused a lot of unnecessary message passing and caused the sensors to grow since they had to update a lot of state regarding what they knew about the state-of-affairs.

Most of the time in the program was spent by the facilitator parsing the messages and finding the appropriate recipient. In a time-critical application like this it is apparently much more efficient to add better support for message handling (especially better content language handling and better subscription-facilities) in the components themselves.

The main conclusion drawn is that the sensors should negotiate what data they are interested in before they start the auditing. If this is done, dedicated communication channels can be set up between the components so that they know what messages they can expect on a certain channel. This reduces the need for parsing and runtime routing. Optimally, the message-passing overhead should be similar to an indirect method-call.

Prolog-prototype

The third prototype addressed the problems from the Tcl-prototype of extensive message-handling overhead and the awkwardness in expressing relations. The event-pool was moved into a prolog-program to which sensors could connect and subscribe to events of issue new events.

The prolog-program holds knowledge about how system events relate to the current state of the active processes. This reduces the need for storing and copying information that can be inferred from the log events.

The content language was changed to prolog. This made it much easier to search and to express complex queries. The queries are plain prolog terms that are evaluated in the pool. Sensors can monitor the result of a query or ask for all current solutions. If the query is monitored the stream to the query-poser is kept with the query, hence no routing of messages is needed.

: Prolog-prototype displaying sensors and sensor information.

The use of a good knowledge-representation language greatly simplified the task of structuring the log data. Sensors for events such as ``what files were opened at a certain time'' or ``did process A cause process B to have fd X set to the same file as process C's fd 5'' are now very easy to write.

Using a language like prolog means of course disregarding loss of some efficiency compared to a C-implementation, but the use of a powerful inference engine and an expressive content language was decidedly of great help.

Example Sensors

Designing the sensors is the part that requires the most creativity and ingenuity. The sensors implemented in the prototypes were fairly simple and rule based, acting on certain events.

This section describes the sensors implemented and a brief discussion on some other sensors that can be conceived as well as some remarks on what features a sensor might have.

The sensors implemented in the prototypes were the following.

In the first prototype:

• NewAppletSensor alerts the user that a new applet has been loaded and starts new sensors specifically monitoring this applet. It is important that this sensor is unambiguous, which is not the case in this version of the applet viewer. Two applets in the same remote directory will be mixed, since they will get the same ClassLoader and hence share state if they use common classes. To keep applets distinct, they are required to reside in different directories.

• ReadSensor, WriteSensor maintains a count of how many files have been opened for reading/writing. Queries the user if reading/writing should be granted for the file and throws a SecurityException if not.
• EtcReadSensor, EtcWriteSensor are specializations of the ReadSensor/WriteSensor that only cares about certain system-specific directories. In this case /etc, /sbin, /bin and /tmp. This kind of sensor would monitor other directories in another operating system, e.g /dos,/windows,/temp in dos.
• ConnectSensor counts the number of TCP-connections opened by an applet and notifies the user of their destination. A hight count indicates that a the applet makes excessive use of the network, maybe for a port-walking attack or for acting as a server for connections from the outside.
• TopWindowSensor counts the number windows opened by an applet so that the user can see which applet opened the window.
• OutputSensor counts the number of disallowed actions for an applet. If an applet tries to do a lot of things it should not, it might be looking for security holes on the computer.
• UntouchedSensor counts the number of log-messages not classified by any sensor. This can be used as a crude measure of how well the applet's behavior conforms to what the active sensors are monitoring. A high number indicates that the applet is doing something else than what is monitored.
• PropertyAccessSensor counts the number of System-property-queries. An applet that reads properties of your system could be looking for security holes or gather information about your computer.

These sensors do not do any sophisticated classifying of events or comparison to a per-applet security profile. They were all straightforward to implement, with the exception of the applet sensor, since they use log-events from the SecurityManager.

Sensors measuring the number of threads and their respective CPU-usage could not be easily implemented since no hooks for that are available in the SecurityManager.

In the second prototype:

• showsys maintains an accumulating graph over a certain type of events. It is used to create a visual fingerprint of a program by drawing graphs for different system calls. The problem with this measure if used as a fingerprint is that it is very implementation dependent. It is hard to know what a program is up to if just raw system calls are visualized. Graphing higher level events, such as general file-I/O and inter-applet communication, could give a good picture of what is going on in the system and help locating the perpetrator of a denial-of-service attack. It is not a fool-proof method since the programs can be very subtle in their actions and in effect drown the important information in their other activity.

• filesensor is an example of how new functionality can be introduced by adding more sensors to the assistant. The filesensor subscribes to lower level events, in this case open, close, dup, fork, chdir, pipe, execve, execsuid, _exit, kill. From these events the sensor can keep track of what file descriptors correspond to what file in a particular process. Messages from this sensor can be subscribed to or queried for by other sensors.

• simpleutil monitors part of the expected behavior of a ``simple'' Unix utility. According to this sensor a simple Unix utility is not supposed to need to have a file open simultaneously as another program. As soon as a program monitored with the simpleutil-sensor opens a file, the filesensor is queried for other programs with this file open. If such a file exists, the user is notified.

The third prototype re-implemented the filesensor and simpleutil-sensor in prolog. Since a lot of the facts that had to be saved explicitly in the Tcl-version could be inferred, the size of the sensors shrank considerably.

New sensors in the third prototype:

• filter. The filter-sensor dictates that a filter never opens a file at all since it gets its input from stdio. This exemplifies a rule that constrains a very broad behavior independent of any implementation.

It is possible to conceive a lot of sensors to implement. I mention some possible sensors to give some inspiration as to what can be done. Whether they are the ones to be used in later prototypes will depend what actual behaviors the assistant will have to monitor.

All these measures can be used in conjunction with cardinality, frequency and distribution measures. The cardinality measures set common-sense limits to the activities. Frequency measures and distribution measures are harder to use since they suppose that you have long-term experience of this program. Moreover the demand that the particular implementation exhibits a certain distribution of events in time and category makes the measures more difficult to use in a general way.

• What filenames are accessed? Any sensitive keywords?
• What file-types? text-files, binary-files, configuration-files suid-scripts?
• What directories? Yours, others, system, competitors config-directories?
• Access of a file not created by the program itself?
• Is the activity correlated in time to the user-interaction?
• Can the program get raw keyboard input?
• Can the program find out the current time?
• Does the program open windows?
• Sockets, within or outside the computer, firewall, domain? What ports/services?
• Does the program accept/get connections?
• How much memory/disc/CPU is used?
• Does/can the program interact with other programs?
• Does the program access or process e-cash?

Below are some ad hoc examples of higher level sensors describing the behavior of some classes of programs. These categories are not definite in any way, but are given as inspiration to what can be said about a certain class of programs. Note that the descriptions do not contain any descriptions of what it does not do since any non-stated behavior should be disallowed. The vague words like ``short'', ``might'' and ``almost'' connote that this behavior varies between executions.

• Compiler creates executables, accesses header-files and libraries in the vendors directory hierarchy. Accesses source-files of a certain language. Only reads source-files once, short and intense execution.
• Editor is a long-lived program, writes intermittently to files already opened. Its activity is related to the user interaction. Only text-files are accessed. Files reside almost without exception in the user's directory tree.

• fileutility (make, find, du, grep etc) might traverse a directory tree. Its sub-processes can create files.

• Web-browser opens http-connections, reads/writes files in its vendors directory. Draws on the screen. (Netscape does not qualify here since it reads /etc/passwd!).